U.S. gov't blindly trusts the antivirus industry

[InfoSec News <isn () c4i org>]

http://vmyths.com/rant.cfm?id=562&page=4

by Rob Rosenberger
03/16/03 

NO COMEDY IN today's column, folks. I want to speak to all U.S. 
federal employees, military members, and contractors who use a 
government-issued PC.

"No comedy, Rob?" Don't worry. I sometimes work against muscle memory 
to keep myself flexible.

I try to catch White House flunky Howard Schmidt whenever he appears 
on CNN or C-SPAN. Oh, sure, he utters silly statements from time to 
time -- but he strikes me as a breath of fresh air compared to the 
negligent man he used to call "boss." I'm an unabashed fan of 
Schmidt's and I ain't afraid to admit it. Call me crazy but I like the 
guy.

For example, Schmidt points out the threat of our "blind trust in 
software firms" in a city where trust creates an obstacle to success. 
He cites examples like the P-Tech Software/Al Qaeda Terrorism 
investigation and the JECC Software/Aum Shinrikyo Terrorism 
investigation.

The White House now runs commercials linking drug sales to terrorism. 
Schmidt works for the White House and he wants you to know software 
sales may fund terrorism, too. Indeed, Schmidt could make a very 
strong case against ... antivirus companies.

And I would agree with him. Let me explain.

The computer security industrial complex sells its products to the 
world and their global business plans run counter to U.S. national 
security. I don't make this claim lightly. Antivirus firms in 
particular follow no security theology. They release dangerous 
data/code to anybody they choose for any arbitrary reason.

For example, major U.S. antivirus firms such as Symantec & Network 
Associates admit they gave cyber-smallpox technology to Beijing for 
years while they deprived Washington of it.

And they'll go right on ignoring security with impunity. A global 
antivirus cartel grabbed us by the short & curlies a loooooong time 
ago and they've never loosened their grip. For example, Washington 
ironically pays those very same U.S. firms to defend beltway PCs from 
the threat of Beijing's computer viruses. What's wrong with this 
picture?

Schmidt's interviews & speeches point out the threat of our own blind 
trust in antivirus firms. Now, I'll admit he says "software firms," 
but this of course includes the antivirus industry. If you raised your 
right hand to defend the Constitution against all enemies (foreign or 
domestic), then you must open your eyes to this problem. You must open 
your eyes to the security industry's non-existent security theology.

To put it simply: you need to treat your government PC like you treat 
a GSA safe or a STU-III.

I DON'T MEAN how you treat the documents in the safe or the things you 
say during a call. I mean how you treat the safe or the phone itself.

You can identify everyone who knows the combination to your GSA safe 
or who holds a key to your STU-III -- but you don't know any of the 
antivirus employees over the years who at one time or another enjoyed 
full access to your for-official-use-only PC.

Some antivirus programmers carry passports from countries we don't 
like to associate with. One prominent U.S. virus expert will never 
hold a security clearance because of his ties to the Chinese national 
police. Experts in the antivirus cartel believe a prominent Russian 
member in their group has strong ties to the KGB. The cartel as a 
whole believes one Israeli antivirus firm bears strong ties to 
Moussad.

[Full disclosure: Wired magazine claims I've got ties to the CIA. I 
don't, but let's pretend I do. Who would you trust more? Me, or the 
guy with ties to the Chinese national police? Ah, but there's the rub! 
You blindly trust the other guy by default.]

Our enemies earn far more respect from the antivirus industry than we 
do. We know it for a fact and I don't make this claim lightly. 
Antivirus firms don't want our friendship -- they just want our money. 
I quote myself from a telltale 2001 column: 

 NSA & CIA made it clear they wanted to join the inner sanctum of 
 antivirus experts... The spooks in D.C. wanted to tap into the 
 industry's massive knowledge base -- but the industry declined. 
 "We encourage you to give us any intelligence data you have," the 
 industry mused, "but we need to sanitize our own data before we 
 can give it to outsiders. It's just too sensitive."

 "Besides," the experts continued, "each of our firms is a large 
 multinational conglomerate. We don't want to look like a tool of the 
 CIA. It's bad for business..." Then [the White House] learned the 
 antivirus industry trades viruses with China. "Ouch." Antivirus firms 
 aren't a tool of the CIA -- they're a tool of the PRC! Bad for 
 business, indeed. 

You'll never let these people touch a GSA safe or a STU-III, but 
you'll blindly let their software protect your NIPRNET & SIPRNET 
computers. In fact, your agency will blindly throw money at them every 
time their software fails to protect your PC from a virus. What's 
wrong with this picture?

(Don't confuse "access" with "break-ins." Spies can access a GSA safe 
or a STU-III just by breaking a window. And know this: the antivirus 
industry evolved as a global cartel by no later than September 1999.)

If you raised your right hand to defend the U.S., then your security 
theology should include your government PC. If you watch Schmidt on 
CNN or C-SPAN, then you know he feels the same way I do. He wants 
America to overcome its blind trust in software firms. "Software 
firms" includes antivirus firms.

"BUT ROB!" YOU protest. "How can I, an individual, overcome the 
government's blind trust in antivirus firms? I don't control federal 
negotiations for their products and I can't even stop a network 
administrator from forcing it down my PC's throat at every bootup."

Believe it or not, you can help the government overcome its blind 
addiction to COTS antivirus software. You really can. First, though, 
you need to open your own eyes. Let me explain.

You see that PC sitting on (or under) your desk? I kid you not: the 
Pentagon recently declared it a "weapon system." By definition, then, 
DoD's security theology should include the PC. But it doesn't. The 
Pentagon should not protect a weapon system with software written by 
people they'd never trust. Yet they do.

Only in the antivirus industry -- I repeat, only in the antivirus 
industry! -- can you: 

1.  declare the entire planet as your customer base; 

2.  sell a product that routinely fails to do what you advertise it 
    can do; 

3.  rely on an addictive update model as your prime revenue stream; 

4.  rely on a global media fetish as your prime marketing stream; 

5.  configure your software so it deletes the important log files it 
    creates; 

6.  hire uncleared foreign nationals to write software that protects 
    top secret computers; 

7.  expect applause when you release hundreds of security patches for 
    your product each year; 

8.  ignore the blatant security flaws in your own product; 

9.  exploit the blatant security flaws in your competitors' products; 

10. engage in industrial espionage without fear of a government 
    crackdown; 

11. violate copyright laws and commit plagiarism with the blessing of 
    your corporate legal counsel; 

12. curb technological innovation through the use of bribery and/or 
    character assassination; 

13. refuse to alert your own customers to security threats discovered 
    by your competitors; 

14. supply hostile enemies with the technology to destroy your own 
    customers; 

    AND MOST IMPORTANT OF ALL: 

15. make your customer-addicts feel perfectly comfortable with all of 
    the above! 

I don't make any of these claims lightly ... but I need to add two 
caveats for journalistic integrity. First: I insist antivirus firms 
sometimes use illegal means to acquire a competitor's virus library, 
though I've not yet documented it. (It would force me to reveal my 
sources.) Second: it doesn't violate my personal code of ethics when 
antivirus firms arm an oppressive communist regime for a possible 
cyber-war against the United States. (I explain why here.) Of course, 
my industry ethics don't apply to "U.S. federal employees, military 
members, and contractors who use a government-issued PC."

The antivirus industry wants everyone to feel perfectly comfortable 
when they do anything they wish for any reason they choose, especially 
if it threatens the very people who buy antivirus software. What's 
wrong with this picture?

They want every CIA employee to feel perfectly comfortable using 
antivirus software written by people the CIA would never trust. They 
want every NSA employee to feel perfectly comfortable with it, too. 
Same thing for every FBI employee. The antivirus industry wants every 
military contract negotiator to feel perfectly comfortable with it. 
They want every DoD CERT official and every network administrator to 
feel perfectly comfortable with it. They want every user to feel 
perfectly comfortable with it, too.

In a word: "everyone."

[Continued in part 2]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.